Log Files by Importance

Understanding Log Files

When viewing log files to troubleshoot issues, it is important to understand how each of them work in order to quickly diagnose issues. The purpose of this article is to inform the reader of what each log file contains, and which log files are important.

There are some similarities across almost all log files:

  • The very first segment of each line in a log file will be a timestamp. This is the time that the issue or event occurred. This will be in YYYY-MM-DD followed by 24 Hour time.
  • In any log file that has to do with a specific email being sent or recieved, the following segment will be an LCID. This is always in the format of [####]. The LCID is unique to that specific email. Once you find the LCID of an email, you can search that LCID in the log viewer of your admin console across multiple logs to give you a full trail of the email, as well as narrow down the specific issue.

Log Files and Descriptions

Important Logs

This is a list of log files that you will typically use when troubleshooting. Click on the links for each log to see a page dedicated to that specific feature as well as understanding that log file. Click on any of the log names to be taken to a page that will explicitly explain how each of those logs work.

Log Name Log Description

AuthTerminate.log

ConnTerminate.log

FromTerminate.log

HelloTerminate.log

rcptTerminate.log

TimeoutTerminate.log

SMTPError.log




All of these logs refer to Xeams Intrusion detection. To learn more about Intrusion detection checkout this page:Intrusion Detection



For information about each specific log, click on any one of their names.

SMTPConversation.log

This log contains communication between a foreign SMTP server sending to Xeams.

SMTPProxyConversation.log

This log is identical to SMTPConversation.log but will only be logged to when Xeams is running as a Proxy server.

IMAPConversation.log

This log is Xeams has a IMAP server configured. Any commands sent between Xeams and the IMAP client, such as Microsoft Outlook or Mozilla Thunderbird, will be logged here.

POP3Conversation.log

This log is Xeams has a POP3 server configured. Any commands sent between Xeams and the POP3 client, such as Microsoft Outlook or Mozilla Thunderbird, will be logged here.

SMTPOuboundConversation.log

This log refers to messages going Outbound from Xeams. Anything leaving Xeams SMTP server will be logged to SMTPOuboundConnversation.log.

OutboundAuditTrailSuccess.log

OutboundAuditTrailFailure.log


These logs are in addition to SMTPOuboundConversation.log. If there are any errors with this process you will see more detailed information about that message in OutboundAuditTrailFailure.log, whereas successful messages will be in OutboundAuditTrailSuccess.log

InvalidPasswordAttempts.log If someone attempts to connect to Xeams using a valid account with an invalid password, this log will list the IP address and attempted username of any invalid password attempts. This page will talk about this: Invalid Passwords
NDR.log This log will be written to whenever Xeams sends or receives an NDR. For more information on NDR checkout this page: Xeams NDR
SuccessfulLogins.log The SuccessfulLogins.log will record any user that entered their credentials correctly. This includes SMTP, HTTP, IMAP and POP3. This is useful to find out which user logged in during a specific time, and if they are logging in securely or not.
Xeams.log This log contains information about the Xeams webserver itself. For troubleshooting generic webserver issues start here. For information on Xeams.log checkout this page: Xeams Logging

Generic Logs

This is a list of logs that are either generic webserver logs, or only logged to when a specific feature is enabled in Xeams.

Log Name Log Description
DeletedEmails.log This contains information about emails that are scored higher than your deletion threshold. When an email is automatically deleted by Xeams, it will be logged here. This will contain the Timestamp, Subject, Sender and Recipient.
DKIMFailure.log If there is a problem with DKIM from either an Incomming or Outgoing message, it will be logged here. This contains the Timestamp, LCID, Subject, Sender and Recipient.
DRVCommunication.log List of emails deleted by users. This contains timestamp of deletion, IP of the machine that deleted the email, username, subject of the email, file location of the .eml file.
E2EEnc.log If the End-To-End Encryption feature is enabled in Xeams, whenever an email is sent using E2E Encryption it will be logged to E2EEnc.log. This contains the Timestamp, LCID, Sender and Recipient.
EmailRestoration.log If a user restores an email from their Quarantine Report, that will be logged here. This will contain the Timestamp of Restoration, Username, and subject of the email.
ExternalTools.log If you are running an external process when a new email is recieved via the External Tools feature, that process running will be logged here. It contains the timestamp, subject of the message that triggered this tool, and which tool was triggered. For more information on External Processes checkout this page: External Processes
ForgedSenders.log Description Here
GreyListing.log If the Grey Listing feature is enabled in Xeams, any messages that are received that contain a Grey Listed IP are logged here. For information on this feature and how to understand this log go to this page: Grey Listing
MailingList.log This log is written to when the Mailing List feature of Xeams is utilized.
MailMerge.log This log is written to when the Mail Merge feature of Xeams is utilized.
OutboundForgeries.log If an Outbound Forgery alert is generated that will be logged here. This will contain the Timestamp, LCID, Sender, Recipeint and Subject of the email.
Performance.log description here
ProxyAudtiTrail.log If Xeams is running with the Proxy SMTP server enabled, the full audit trail will be logged here.
QuarantineReports.log Xeams sends out quarantine reports to users at specified times. When a quarantine report is sent to a user it will be logged here. This will contain the Timestamp, Recipeint of the reports, and how many total reports were generated and sent.
SmartHost.log If a smart host is used any communication between Xeams and the Smart host will be logged here.

SrvStdErr.log

SrvStdOut.log

StarterErr.log

StarterOut.log

These are generic Java webserver logs.
UserFilters.log If any user filtering rules are enabled, a log of these triggering will be written here. An example of this would be a rule that takes any inbound messages for John@mycompany.com and delivers them to the inbox of Frank@mycompany.com and Lisa@mycompany.com
ChallengeResponse.log This log contains information regarding Email Challenge/Response filtering. There is a page that talks about this here: Challenge/Response

Additional Logging

This section covers how to enable additional logging tools in Xeams.


To enable additional logging tools in Xeams you will need to modify the contents of logconfig.xml. This file is located in your main $INSTALL_DIR/ folder. Once editing this file, you will notice there are two sections:

  • The appender
  • The category

Each appender must have a corresponding category. The Appender specifies where the content is logged, such as the log name, size, and location, whereas the Category specifies what content is logged.

Additional Logs

This log will be used whenever a user creates a temporary email and that address recieves an email.

Appender
<appender class="org.apache.log4j.RollingFileAppender" name="TEMP_EMAIL">
<param name="File" value="logs/TempEmailTransformer.log"/>
<param name="Append" value="true"/>
<param name="MaxFileSize" value="5MB"/>
<layout class="org.apache.log4j.PatternLayout">
</layout>
</appender>
Category
<category name="TempEmailTransformer" additivity="false">
<priority value="DEBUG"/>
<appender-ref ref="TEMP_EMAIL"/>
</category>

If you have the Front Door Rejector enabled and specified for IP filtering, events caught by the rejector will be logged here.

Appender
<appender class="org.apache.log4j.RollingFileAppender" name="IPATTACKER">
<param name="File" value="logs/IPAttacker.log"/>
<param name="Append" value="true"/>
<param name="MaxFileSize" value="5MB"/>
<layout class="org.apache.log4j.PatternLayout">
<param name="ConversionPattern" value="%d %-5p %c{2} - %m%n"/>
</layout>
</appender>

Category
<category name="IPAttacker" additivity="false">
<priority value="DEBUG" />
<appender-ref ref="IPATTACKER"/>
</category>

If you have the Front Door Rejector enabled and specified for IP filtering, events caught by the rejector will be logged here.

Appender
<appender class="org.apache.log4j.RollingFileAppender" name="LDAP">
    <param name="File" value="logs/Ldap.log"/>
    <param name="Append" value="true"/>
    <param name="MaxFileSize" value="5MB"/>
        <layout class="org.apache.log4j.PatternLayout">
    <param name="ConversionPattern" value="%d %-5p %c{2} - %m%n"/>
    </layout>
</appender>

Category
<category name="LdapCommunication" additivity="false">
    <priority value="DEBUG" />
    <appender-ref ref="LDAP"/>
</category>

Xeams has the ability to handle emails with large attachments by using SynaMan to remove the attachment from the message and include it as a download link in the message body. If this occurs, Xeams will log the event here.

Appender

<appender class="org.apache.log4j.RollingFileAppender" name="LARGE_EMAIL_LOG">
<param name="File" value="logs/LargeEmails.log"/>
<param name="Append" value="true"/>
<param name="MaxFileSize" value="5MB"/>
<layout class="org.apache.log4j.PatternLayout">
<param name="ConversionPattern" value="%d %-5p %c{2} - %m%n"/>
</layout>
</appender>

Category
<category name="LargeEmail" additivity="false">
<priority value="DEBUG" />
<appender-ref ref="EMAIL"/>
<appender-ref ref="LARGE_EMAIL_LOG"/>
</category>

If you have setup a distribution list, whenever an email comes in and gets forwarded to multiple aliases, that email will be logged here, along with the users that recieved it.

Appender

<appender name="ALIAS_HANDLER" class="org.apache.log4j.RollingFileAppender">
<param name="File" value="logs/Aliases.log" />
<param name="Append" value="true" />
<param name="MaxFileSize" value="5MB" />
<layout class="org.apache.log4j.PatternLayout">
<param name="ConversionPattern" value="%d %-5p %c{2} - %m%n"/>
</layout>
</appender>


Category
<category name="AliasHandler" additivity="false">
<priority value="DEBUG" />
<appender-ref ref="ALIAS_HANDLER"/>
</category>

Xeams has the ability to improve itself via the Spam Learner feature. Whenever you forward a message to the spam learner address it will be logged here.

Appender
<appender name="SPAM_LEARNER" class="org.apache.log4j.RollingFileAppender">
<param name="File" value="logs/SpamLearner.log" />
<param name="Append" value="true" />
<param name="MaxFileSize" value="5MB" />
<layout class="org.apache.log4j.PatternLayout">
<param name="ConversionPattern" value="%d %-5p %c{2} - %m%n"/>
</layout>
</appender>

Category
 

<category name="SpamLearner" additivity="false">
<priority value="DEBUG" />
<appender-ref ref="SPAM_LEARNER"/>
</category>

If you have the Front Door Rejector enabled and configured to filter content, these events will be logged here.

Appender
<appender name="FRONTDOOR" class="org.apache.log4j.RollingFileAppender">
<param name="File" value="logs/FrontDoor.log" />
<param name="Append" value="true" />
<param name="MaxFileSize" value="5MB" />
<layout class="org.apache.log4j.PatternLayout">
<param name="ConversionPattern" value="%d %-5p %c{2} - %m%n"/>
</layout>
</appender>

Category
<category name="FrontDoorRejector" additivity="false">
<priority value="DEBUG" />
<appender-ref ref="FRONTDOOR"/>
</category>

This log will have events related to emails caught by the DomainInspector filter.

Appender
<appender name="DOMAIN_INSPECTOR" class="org.apache.log4j.RollingFileAppender">
<param name="File" value="logs/DomainInspector.log" />
<param name="Append" value="true" />
<param name="MaxFileSize" value="5MB" />
<layout class="org.apache.log4j.PatternLayout">
<param name="ConversionPattern" value="%d %-5p %c{2} - %m%n"/>
</layout>
</appender>

Category
<category name="DomainInspector" additivity="false">
<priority value="DEBUG" />
<appender-ref ref="DOMAIN_INSPECTOR"/>
</category>

If you have multiple Xeams server's running with clustering enabled, any communication between the servers is logged here.

Appender
<appender name="CLUSTER" class="org.apache.log4j.RollingFileAppender">
<param name="File" value="logs/Cluster.log" />
<param name="Append" value="true" />
<param name="MaxFileSize" value="5MB" />
<layout class="org.apache.log4j.PatternLayout">
<param name="ConversionPattern" value="%d %-5p [%t] %c{2} - %m%n"/>
</layout>
</appender>

Category
<category name="ClusterManager" additivity="false">
<priority value="DEBUG" />
<appender-ref ref="CLUSTER"/>
</category>

You can configure Xeams to assign scores to emails that come in with either invalid or no DMARC configured. If an email is assigned a score through this filter it will be logged here.

Appender
<appender name="DMARC" class="org.apache.log4j.RollingFileAppender">
<param name="File" value="logs/Dmarc.log" />
<param name="Append" value="true" />
<param name="MaxFileSize" value="25MB" />
<layout class="org.apache.log4j.PatternLayout">
<param name="ConversionPattern" value="%d %-5p [%t] %c{2} - %m%n"/>
</layout>
</appender>

Category
<category name="Dmarc" additivity="false">
<priority value="DEBUG" />
<appender-ref ref="DMARC"/>
</category>

If Xeams is configured to send emails out that it received from a different SMTP server, this log will check that email has a valid DMARC.

Appender
<appender name="DMARC_OB_REPORTS" class="org.apache.log4j.RollingFileAppender">
<param name="File" value="logs/DmarcObReports.log" />
<param name="Append" value="true" />
<param name="MaxFileSize" value="25MB" />
<layout class="org.apache.log4j.PatternLayout">
<param name="ConversionPattern" value="%d %-5p [%t] %c{2} - %m%n"/>
</layout>
</appender>

Category
<category name="DmarcOutboundReporter" additivity="false">
<priority value="DEBUG" />
<appender-ref ref="DMARC_OB_REPORTS"/>
</category>

Appender
<appender name="NO_TLS" class="org.apache.log4j.RollingFileAppender">
<param name="File" value="logs/NoTLSRejections.log" />
<param name="Append" value="true" />
<param name="MaxFileSize" value="25MB" />
<layout class="org.apache.log4j.PatternLayout">
<param name="ConversionPattern" value="%d %-5p %c{2} - %m%n"/>
</layout>
</appender>

Category
<category name="SMTP_TLS_NOT_USED" additivity="false">
<priority value="DEBUG" />
<appender-ref ref="NO_TLS"/>
</category>
Appender
<appender name="RBL_SERVERS" class="org.apache.log4j.RollingFileAppender">
<param name="File" value="logs/RblServers.log" />
<param name="Append" value="true" />
<param name="MaxFileSize" value="5MB" />
<layout class="org.apache.log4j.PatternLayout">
<param name="ConversionPattern" value="%d %-5p %c{2} - %m%n"/>
</layout>
</appender>

Category
<category name="RBLServerCheck" additivity="false">
<priority value="DEBUG" />
<appender-ref ref="RBL_SERVERS"/>
</category>

If you use SynRBL as your RBL server in Xeams, any filtering that is caught by the SynRBL is logged here.

Appender
<appender name="SynRBL" class="org.apache.log4j.RollingFileAppender">
<param name="File" value="logs/SynRBL.log" />
<param name="Append" value="true" />
<param name="MaxFileSize" value="5MB" />
<layout class="org.apache.log4j.PatternLayout">
<param name="ConversionPattern" value="%d %-5p %c{2} - %m%n"/>
</layout>
</appender>

Category
<category name="SynRblCUM" additivity="false">
<priority value="DEBUG" />
<appender-ref ref="SynRBL"/>
</category>

Appender
<appender name="WELL_KNOWN_DOMAINS" class="org.apache.log4j.RollingFileAppender">
<param name="File" value="logs/WellKnownDomains.log" />
<param name="Append" value="true" />
<param name="MaxFileSize" value="5MB" />
<layout class="org.apache.log4j.PatternLayout">
<param name="ConversionPattern" value="%d %-5p %c{2} - %m%n"/>
</layout>
</appender>

Category
<category name="WellKnownDomains" additivity="false">
<priority value="DEBUG"/>
<appender-ref ref="WELL_KNOWN_DOMAINS"/>
</category>
Appender
<appender name="VIRUS_DETECTOR" class="org.apache.log4j.RollingFileAppender">
<param name="File" value="logs/VirusDetector.log" />
<param name="Append" value="true" />
<param name="MaxFileSize" value="5MB" />
<layout class="org.apache.log4j.PatternLayout">
<param name="ConversionPattern" value="%d %-5p %c{2} - %m%n"/>
</layout>
</appender>

Category
<category name="VirusDetector" additivity="false">
<priority value="DEBUG" />
<appender-ref ref="VIRUS_DETECTOR"/>
</category>
Appender
<appender name="ClamAV_Client" class="org.apache.log4j.RollingFileAppender">
<param name="File" value="logs/ClamAVClient.log" />
<param name="Append" value="true" />
<param name="MaxFileSize" value="5MB" />   
<layout class="org.apache.log4j.PatternLayout">
<param name="ConversionPattern" value="%d %-5p %c{2} - %m%n"/>
</layout>
</appender>

Category
<category name="ClamAvClient" additivity="false">
<priority value="DEBUG" />
<appender-ref ref="ClamAV_Client" />
</category>
Appender
<appender name="CUSTOM_FILTERS_PERF" class="org.apache.log4j.RollingFileAppender">
<param name="File" value="logs/CustomFiltersPerf.log" />
<param name="Append" value="true" />
<param name="MaxFileSize" value="5MB" />
<layout class="org.apache.log4j.PatternLayout">
<param name="ConversionPattern" value="%d %-5p %c{2} - %m%n"/>
</layout>
</appender>

Category
<category name="CustomFilterPerformance" additivity="false">
<priority value="DEBUG" />
<appender-ref ref="CUSTOM_FILTERS_PERF"/>
</category>
Appender
<appender name="OB_THRU_SLAVE" class="org.apache.log4j.RollingFileAppender">
<param name="File" value="logs/ObThruSlaves.log" />
<param name="Append" value="true" />
<param name="MaxFileSize" value="25MB" />
<layout class="org.apache.log4j.PatternLayout">
<param name="ConversionPattern" value="%d %-5p %c{2} - %m%n"/>
</layout>
</appender>

Category
<category name="OutboundEmailToSlaves" additivity="false">
<priority value="DEBUG" />
<appender-ref ref="OB_THRU_SLAVE"/>
</category>
This log is associated with the External Tool feature.
Appender
<appender name="EXTERNAL_TOOL" class="org.apache.log4j.RollingFileAppender">
	<param name="File" value="logs/ExternalTool.log" />
	<param name="Append" value="true" />
	<param name="MaxFileSize" value="5MB" />
	<layout class="org.apache.log4j.PatternLayout">
	<param name="ConversionPattern" value="%d %-5p %c{2} - %m%n"/>
	</layout>
</appender>

Category
<category name="ExternalTool" additivity="false">
	<priority value="DEBUG" />
	<appender-ref ref="EXTERNAL_TOOL"/>
</category>

If you have custom recipient rejectors specified for your front door rejector, any blocked recipients will be logged here.

Appender
<appender name="CUSTOM_RR" class="org.apache.log4j.RollingFileAppender">
<param name="File" value="logs/CustomRecipientRejector.log"/>
<param name="Append" value="true"/>
<param name="MaxFileSize" value="5MB"/>
<layout class="org.apache.log4j.PatternLayout">
<param name="ConversionPattern" value="%d %-5p %c{2} - %m%n"/>
</layout>
</appender>

Category
<category name="CustomRecipientRejector" additivity="false">
<priority value="DEBUG"/>
<appender-ref ref="CUSTOM_RR"/>
</category>

Troubleshooting

This section covers which logs to look at when troubleshooting specific errors.

Troubleshooting Scenarios

If you cannot reach Xeams webserver, even from the local machine, there could be an issue with it. First, confirm that the webserver is running by checking the services on the local machine for Xeams. If it is running, restart the service.

Once the service has been restarted, check to see if the webserver is now reachable.

In either situation, open up Xeams.log and scroll to the very end. Slightly above the end you should see a line that looks like this:

xeams.ServerStarter - ---------------------------------------------------

This line is the restart of Xeams. If the server is now reachable you can scroll up from here and search for [ERROR] lines to see what has gone wrong.

If the server is still unreachable, search below the lines for [ERROR] lines to see what is causing the server to not start.

If you are having issues with inbound emails, check out our troubleshooting page on this here: Troubleshooting Inbound Messages

If you are having issues with outbound emails, check out our troubleshooting page on this here: Troubleshooting Outbound Messages

Certain configurations can slow down Xeams, making it unresponsive. Please take a look at the performance KB article to help you troubleshoot the root of the cause.

Additional articles/notes: